Questions on traffic shaping for multiple clients with tc

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I need to divide bandwidth between several clients connected through IPSEC.

I found this article:

But my requirements are a little bit more complicated and I need some
additional advices.

== How to assign MARK to a new client ==

1) I have not the only one, but several clients who are dynamically
connecting and receiving IPs. How can I assign firewall mark/class
My current idea is to store mark in the shared memory and increment it
with every new client.

Sounds relatively complicated. I can do it, but may be there is a
simpler solution? Any other ideas are welcome.

Other approach I am aware of is to make a hash from IP address. In
this case hash will be 16 bits (range for tc class id)  while IP
contains 32 bit. Does not look that good.

== Filters / Classificators ==

2) I want to have two classes per VPN client. One for priority traffic
and another for everything else. I use two marks to achieve this -

2.1 SSH traffic: put into priority queue (ssh but NOT scp):

iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp -m tos --tos 0x10 -j

2.2 ICMP: put into priority queue:

iptables -t mangle -A INPUT -i $DEV -s $IP -p icmp -j CONNMARK
--set-mark ${MARKFW_ONE}

2.3 To speed up downloads while an upload is going on, put ACK packets
in priority class:

iptables -t mangle -A INPUT -i $DEV -s $IP -p tcp --tcp-flags ALL ACK
-j CONNMARK --set-mark ${MARKFW_ONE}

2.4 Everything else:

iptables -t mangle -A INPUT -i $DEV -s ${IP} -j CONNMARK --set-mark

And at the end:

# Propagate netfilter marks on connections
iptables -t mangle -A POSTROUTING -j CONNMARK --restore-mark

Questions are :

- 2.3: It looks like I am wrong here because this rule shall mark the
whole connection, not the packet.  Shall I simply use -j MARK in this
- 2.2: Shall I replace -j CONNMARK with -j MARK for ICMP case?
- 2.1 - 2.4. Can I use -j CLASSIFY target instead of marking the
packets and connections?  I am under impression that I can use it for
the case 2.2 and
  may be 2.3 but NOT in other cases when connection shall be marked.
- 2.1: Is it a proper way to identify ssh traffic (and not scp)?

Thanks in advance!

WBR & WBW, Vitaly
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux